Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d34520e8c28acd7…

MALICIOUS

PDF

34.7 KB Created: 2020-10-31 06:41:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 28d3e0a52e2cea3d86b306f06aa7ef91 SHA-1: be9d1ea1227c07cfc0c9c8c5bab37d00b61feea5 SHA-256: 9d34520e8c28acd70ab5243675ada9a4d0cca5ee6b7fb7db16ae4c0db4741042
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous links to external websites, many of which are flagged as malicious or part of a link farm. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that at least one URL, https://cctraff.ru/aws?keyword=6.3.1.8+packet+tracer, leads to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic further suggests a pattern of hosting numerous PDFs on external sites, likely for SEO manipulation or to distribute malware. The ML_NYX_PDF_MALICIOUS score of 0.999283 strongly indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=6.3.1.8+packet+tracer
    • https://xonuveviriniw.weebly.com/uploads/1/3/0/7/130738603/lepasipovorako.pdf
    • https://xemivigezeb.weebly.com/uploads/1/3/4/4/134481563/fapimegekir.pdf
    • https://bizetuxerupa.weebly.com/uploads/1/3/0/8/130873791/gisexoji.pdf
    • https://tiposowa.weebly.com/uploads/1/3/1/1/131164246/1843568.pdf
    • https://nikokabiliru.weebly.com/uploads/1/3/1/4/131409463/412712c4.pdf
    • https://cdn-cms.f-static.net/uploads/4378830/normal_5f9097c8359ce.pdf
    • https://fevuxutub.weebly.com/uploads/1/3/4/1/134131759/sirev.pdf
    • https://gogebuzavoriro.weebly.com/uploads/1/3/2/6/132681212/tekon-fisigugarasu.pdf
    • https://cdn-cms.f-static.net/uploads/4367007/normal_5f9313a480eba.pdf
    • https://xojerajap.weebly.com/uploads/1/3/1/3/131384359/nekomeped.pdf
    • https://lorebigida.weebly.com/uploads/1/3/4/3/134377432/3cf439a61fa15e8.pdf
    • https://sefedajexoxoj.weebly.com/uploads/1/3/4/4/134479396/ff270.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0481/2583/7465/files/kegamebakaziwujefibavi.pdf
    • https://cdn.shopify.com/s/files/1/0502/3550/6868/files/need_for_speed_rivals_network_app_android.pdf
    • https://cdn.shopify.com/s/files/1/0501/7885/0992/files/viking_professional_side_by_side_refrigerator_manual.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066ee.bin
fae1c9f85548c61b1924f70008e56029f1a2269fbe1047125aabd0b3eda4c2f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66EE 4808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.